Debian Dovecot DLA-4556-1 CVE-2025-59031 Denial of Service Attack
debian lts
May 1, 2026
Multiple vulnerabilities were discovered in dovecot, a POP3/IMAP server, which could lead to Denial of Service, information leak, path traversal, authentication bypass, replay atta...
Summary
CVE-2025-59031
The decode2text.sh example script, which was installed into
dovecot-core/examples, was found handle zip-style attachment in an
unsafe manner. In particular, OOXML extraction may follow symlinks
and read unintended files during indexing. The script is no longer
installed.
CVE-2025-59032
It was found that the ManageSieve AUTHENTICATE command crashes the
ManageSieve service when using literal as SASL initial response,
leading to Denial of Service.
CVE-2026-0394
A pass traversal vulnerability was discovered in the passwd-file
passdb/userdb when dovecot has been configured to use per-domain
passwd files, allowing inadvertently reading /etc/passwd in some
situations. If this file contains passwords, it can be used to
authenticate wrongly, or if this is userdb, it can incorrectly make
system users appear valid users.
CVE-2026-27855
The OTP authentication driver was found to be vulnerable to replay
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: dovecot
Version: 1:2.3.13+dfsg1-2+deb11u3
CVE ID: CVE-2025-59031 CVE-2025-59032 CVE-2026-0394 CVE-2026-27855
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!